CVE-2017-6396 in WPO-Foundation WebPageTest
Summary
by MITRE
An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the "webpagetest-master/www/compare-cf.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2017-6396 resides within the WPO-Foundation WebPageTest version 3.0, specifically in the compare-cf.php script that handles user input through URL parameters. This represents a classic cross-site scripting vulnerability that allows malicious actors to inject arbitrary HTML and script code into the web application's response. The flaw stems from inadequate input validation and output encoding practices, where user-supplied data flows directly into the HTTP response without proper sanitization or escaping mechanisms. The affected component at webpagetest-master/www/compare-cf.php serves as an entry point for attackers to manipulate the application's behavior and potentially compromise user sessions or execute malicious payloads in the context of the vulnerable website.
The technical exploitation of this vulnerability follows established patterns for cross-site scripting attacks, with the vulnerability mapping directly to CWE-79 - Improper Neutralization of Input During Web Page Generation. The flaw occurs because the application fails to properly filter or escape user-provided data before incorporating it into dynamically generated HTML content. When a user accesses the vulnerable URL with malicious input, the script processes this data without adequate sanitization, allowing attackers to inject script tags or other HTML elements that execute in the victim's browser context. This creates a persistent threat vector where attackers can manipulate the web application's functionality and potentially steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with a foothold for more sophisticated attacks within the web application's security context. The vulnerability enables potential session hijacking, data theft, and privilege escalation attacks that could compromise the integrity of the WebPageTest platform and its users' data. Attackers could leverage this flaw to manipulate test results, inject malicious code into test reports, or redirect users to phishing sites that appear legitimate within the application's interface. The vulnerability affects all users of the WebPageTest 3.0 version, including administrators and regular users, making it a critical concern for organizations relying on this performance testing tool. According to ATT&CK framework, this vulnerability maps to T1059.007 - Command and Scripting Interpreter: JavaScript, where attackers can execute malicious JavaScript code through the XSS vector.
Mitigation strategies for CVE-2017-6396 should focus on implementing comprehensive input validation and output encoding mechanisms throughout the WebPageTest application. The primary defense involves sanitizing all user-supplied input before processing and ensuring proper HTML escaping when rendering dynamic content. Organizations should implement Content Security Policy headers to limit script execution and prevent unauthorized code injection. Regular security updates and patches should be applied immediately upon availability, as this vulnerability affects a specific version of the software. Input validation should enforce strict character set restrictions and reject potentially dangerous patterns such as script tags or event handlers. Additionally, the application should implement proper session management and authentication controls to minimize the potential impact of successful exploitation. Security monitoring and logging should be enhanced to detect unusual patterns in URL parameters that might indicate attempted exploitation of this vulnerability, with regular security audits to ensure all input handling mechanisms properly address cross-site scripting threats.